Summary:
NtAccessCheck(>) | 1 | NtFsControlFile(>) | 2 | NtReadVirtualMemory(>) | 5 | NtQueryInformationProcess(>) | 17 |
NtDuplicateToken(>) | 1 | NtQueryDebugFilterState(>) | 2 | NtUnmapViewOfSection(>) | 5 | NtProtectVirtualMemory(>) | 18 |
NtOpenDirectoryObject(>) | 1 | NtQueryDefaultUILanguage(>) | 2 | NtWriteFile(>) | 5 | NtOpenProcessTokenEx(>) | 22 |
NtOpenKeyedEvent(>) | 1 | NtQueryInformationJobObject(>) | 2 | NtQueryVolumeInformationFile(>) | 7 | NtOpenThreadTokenEx(>) | 22 |
NtQueryInstallUILanguage(>) | 1 | NtQueryVirtualMemory(>) | 2 | NtEnumerateKey(>) | 8 | NtCreateFile(>) | 23 |
NtQueryKey(>) | 1 | NtResumeThread(>) | 2 | NtFlushInstructionCache(>) | 8 | NtAllocateVirtualMemory(>) | 26 |
NtQueryObject(>) | 1 | NtTerminateProcess(>) | 2 | NtQuerySystemInformation(>) | 8 | NtQueryInformationToken(>) | 29 |
NtReadFile(>) | 1 | NtFreeVirtualMemory(>) | 3 | NtRequestWaitReplyPort(>) | 8 | NtOpenFile(>) | 30 |
NtRegisterThreadTerminatePort(>) | 1 | NtOpenSymbolicLinkObject(>) | 3 | NtWriteVirtualMemory(>) | 8 | NtQueryValueKey(>) | 42 |
NtSecureConnectPort(>) | 1 | NtOpenThreadToken(>) | 3 | NtOpenSection(>) | 9 | NtQueryDirectoryFile(>) | 48 |
NtSetInformationFile(>) | 1 | NtQuerySymbolicLinkObject(>) | 3 | NtQueryAttributesFile(>) | 9 | NtCreateSection(>) | 59 |
NtSetInformationThread(>) | 1 | NtSetInformationObject(>) | 3 | NtSetInformationProcess(>) | 9 | NtOpenKey(>) | 84 |
NtTestAlert(>) | 1 | NtContinue(>) | 4 | NtQueryInformationFile(>) | 10 | NtClose(>) | 230 |
NtCreateProcessEx(>) | 2 | NtQuerySection(>) | 4 | NtMapViewOfSection(>) | 13 | ||
NtCreateThread(>) | 2 | NtOpenProcessToken(>) | 5 |
370\243:V\370I%\\370\252:V\370I%R\370\244:V\370\241:W\370\323:V\370I%]\370\251:V\370\31
370\240:V\370Rich\241:V\370\0\0\0\0\0\0\0\0PE\0\0L\1\3\0p\7(H\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0\320\0\0-\372\0\0\0\340\0\0\0\0\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0DkKl\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 8790, 0x0, 0, ... 00299 896 NtContinue (-142418476, 0, ... 00298 896 NtWriteFile ... {status=0x0, info=8790}, ) == 0x0 00300 896 NtClose (16, ... ) == 0x0 00301 896 NtQueryInformationJobObject (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED 00302 896 NtOpenFile (0x1000a1, {24, 0, 0x40, 0, 0, (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL3.tmp"}, 5, 96, ... 16, {status=0x0, info=1}, ) }, 5, 96, ... 16, {status=0x0, info=1}, ) == 0x0 00303 896 NtCreateSection (0xf001f, 0x0, 0x0, 16, 16777216, 16, ... 28, ) == 0x0 00304 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00305 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility"}, ... 32, ) }, ... 32, ) == 0x0 00306 896 NtQueryValueKey (32, (32, "DisableAppCompat", Partial, 20, ... ) , Partial, 20, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00307 896 NtClose (32, ... ) == 0x0 00308 896 NtQueryVolumeInformationFile (16, 1241368, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00309 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239300, ... ) }, 1239300, ... ) == 0x0 00310 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 32, {status=0x0, info=1}, ) }, 5, 96, ... 32, {status=0x0, info=1}, ) == 0x0 00311 896 NtCreateSection (0xe, 0x0, 0x0, 16, 134217728, 32, ... 36, ) == 0x0 00312 896 NtClose (32, ... ) == 0x0 00313 896 NtMapViewOfSection (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 16, ... (0x320000), 0x0, 126976, ) == 0x0 00314 896 NtClose (36, ... ) == 0x0 00315 896 NtUnmapViewOfSection (-1, 0x320000, ... ) == 0x0 00316 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 1239608, ... ) }, 1239608, ... ) == 0x0 00317 896 NtOpenFile (0x100020, {24, 0, 0x40, 0, 0, (0x100020, {24, 0, 0x40, 0, 0, "\??\C:\WINDOWS\system32\Apphelp.dll"}, 5, 96, ... 36, {status=0x0, info=1}, ) }, 5, 96, ... 36, {status=0x0, info=1}, ) == 0x0 00318 896 NtCreateSection (0xf, 0x0, 0x0, 16, 16777216, 36, ... 32, ) == 0x0 00319 896 NtQuerySection (32, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00320 896 NtOpenProcessToken (-1, 0x8, ... 40, ) == 0x0 00321 896 NtQueryInformationToken (40, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 00322 896 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00323 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0 00324 896 NtQueryValueKey (44, (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00325 896 NtClose (44, ... ) == 0x0 00326 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00327 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 44, ) == 0x0 00328 896 NtQueryInformationToken (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00329 896 NtClose (44, ... ) == 0x0 00330 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00331 896 NtClose (40, ... ) == 0x0 00332 896 NtClose (36, ... ) == 0x0 00333 896 NtMapViewOfSection (32, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77b40000), 0x0, 139264, ) == 0x0 00334 896 NtClose (32, ... ) == 0x0 00335 896 NtProtectVirtualMemory (-1, (0x77b41000), 524, 4, ... (0x77b41000), 4096, 32, ) == 0x0 00336 896 NtProtectVirtualMemory (-1, (0x77b41000), 4096, 32, ... (0x77b41000), 4096, 4, ) == 0x0 00337 896 NtFlushInstructionCache (-1, 2008289280, 524, ... ) == 0x0 00338 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00339 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00340 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00341 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 32, {status=0x0, info=1}, ) == 0x0 00342 896 NtQueryInformationFile (32, 1239624, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00343 896 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 32, ... 36, ) == 0x0 00344 896 NtMapViewOfSection (36, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1191936, ) == 0x0 00345 896 NtQueryInformationFile (32, 1239724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00346 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00347 896 NtAllocateVirtualMemory (-1, 1228800, 0, 4096, 4096, 260, ... 1228800, 4096, ) == 0x0 00348 896 NtQuerySystemInformation (Processor, 12, ... {system info, class 1, size 12}, 0x0, ) == 0x0 00349 896 NtQueryInformationProcess (-1, Wow64, 4, ... {process info, class 26, size 4}, 0x0, ) == 0x0 00350 896 NtOpenKey (0x101, {24, 0, 0x40, 0, 0, (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00351 896 NtOpenKey (0x101, {24, 0, 0x40, 0, 0, (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 40, ) }, ... 40, ) == 0x0 00352 896 NtQueryValueKey (40, (40, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (40, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00353 896 NtClose (40, ... ) == 0x0 00354 896 NtCreateFile (0x120116, {24, 0, 0x40, 0, 0, (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00355 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00356 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237320, 616, BothDirectory, 1, (40, 0, 0, 0, 1237320, 616, BothDirectory, 1, "DIL3.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00357 896 NtClose (40, ... ) == 0x0 00358 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00359 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00360 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL3.tmp"}, 1237696, ... ) }, 1237696, ... ) == 0x0 00361 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00362 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0 00363 896 NtClose (40, ... ) == 0x0 00364 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00365 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00366 896 NtClose (40, ... ) == 0x0 00367 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00368 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00369 896 NtClose (40, ... ) == 0x0 00370 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00371 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0 00372 896 NtClose (40, ... ) == 0x0 00373 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 40, {status=0x0, info=1}, ) }, 3, 16417, ... 40, {status=0x0, info=1}, ) == 0x0 00374 896 NtQueryDirectoryFile (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, (40, 0, 0, 0, 1237124, 616, BothDirectory, 1, "DIL3.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00375 896 NtClose (40, ... ) == 0x0 00376 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00377 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00378 896 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 00379 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00380 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00381 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00382 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00383 896 NtClose (40, ... ) == 0x0 00384 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00385 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\DIL3.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00386 896 NtUnmapViewOfSection (-1, 0x410000, ... ) == 0x0 00387 896 NtClose (36, ... ) == 0x0 00388 896 NtClose (32, ... ) == 0x0 00389 896 NtOpenThreadToken (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN 00390 896 NtOpenProcessToken (-1, 0xa, ... 32, ) == 0x0 00391 896 NtQueryInformationToken (32, User, 136, ... {token info, class 1, size 36}, 36, ) == 0x0 00392 896 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00393 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 36, ) }, ... 36, ) == 0x0 00394 896 NtQueryValueKey (36, (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "TransparentEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\1\0\0\0"}, 16, ) }, 16, ) == 0x0 00395 896 NtQueryValueKey (36, (36, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (36, "AuthenticodeEnabled", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00396 896 NtClose (36, ... ) == 0x0 00397 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "ADVAPI32.DLL"}, ... 36, ) }, ... 36, ) == 0x0 00398 896 NtMapViewOfSection (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77dd0000), 0x0, 634880, ) == 0x0 00399 896 NtClose (36, ... ) == 0x0 00400 896 NtProtectVirtualMemory (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0 00401 896 NtProtectVirtualMemory (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0 00402 896 NtFlushInstructionCache (-1, 2010976256, 1700, ... ) == 0x0 00403 896 NtOpenSection (0xe, {24, 8, 0x40, 0, 0, (0xe, {24, 8, 0x40, 0, 0, "RPCRT4.dll"}, ... 36, ) }, ... 36, ) == 0x0 00404 896 NtMapViewOfSection (36, -1, (0x0), 0, 0, 0x0, 0, 1, 0, 4, ... (0x77e70000), 0x0, 593920, ) == 0x0 00405 896 NtClose (36, ... ) == 0x0 00406 896 NtProtectVirtualMemory (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0 00407 896 NtProtectVirtualMemory (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0 00408 896 NtFlushInstructionCache (-1, 2011631616, 868, ... ) == 0x0 00409 896 NtProtectVirtualMemory (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0 00410 896 NtProtectVirtualMemory (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0 00411 896 NtFlushInstructionCache (-1, 2011631616, 868, ... ) == 0x0 00412 896 NtProtectVirtualMemory (-1, (0x77e71000), 868, 4, ... (0x77e71000), 4096, 32, ) == 0x0 00413 896 NtProtectVirtualMemory (-1, (0x77e71000), 4096, 32, ... (0x77e71000), 4096, 4, ) == 0x0 00414 896 NtFlushInstructionCache (-1, 2011631616, 868, ... ) == 0x0 00415 896 NtProtectVirtualMemory (-1, (0x77dd1000), 1700, 4, ... (0x77dd1000), 4096, 32, ) == 0x0 00416 896 NtProtectVirtualMemory (-1, (0x77dd1000), 4096, 32, ... (0x77dd1000), 4096, 4, ) == 0x0 00417 896 NtFlushInstructionCache (-1, 2010976256, 1700, ... ) == 0x0 00418 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00419 896 NtAllocateVirtualMemory (-1, 1327104, 0, 4096, 4096, 4, ... 1327104, 4096, ) == 0x0 00420 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.DLL"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00421 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\CurrentControlSet\Control\Terminal Server"}, ... 36, ) }, ... 36, ) == 0x0 00422 896 NtQueryValueKey (36, (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSAppCompat", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00423 896 NtQueryValueKey (36, (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 548, ... TitleIdx=0, Type=4, Data= (36, "TSUserEnabled", Partial, 548, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00424 896 NtClose (36, ... ) == 0x0 00425 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"}, ... 36, ) }, ... 36, ) == 0x0 00426 896 NtQueryValueKey (36, (36, "LeakTrack", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00427 896 NtClose (36, ... ) == 0x0 00428 896 NtOpenKey (0x2000000, {24, 0, 0x40, 0, 0, (0x2000000, {24, 0, 0x40, 0, 0, "\REGISTRY\MACHINE"}, ... 36, ) }, ... 36, ) == 0x0 00429 896 NtSetInformationObject (36, Handle, {Inherit=0,ProtectFromClose=1,}, 2011431168, ... ) == 0x0 00430 896 NtOpenKey (0x20019, {24, 36, 0x40, 0, 0, (0x20019, {24, 36, 0x40, 0, 0, "Software\Microsoft\Windows NT\CurrentVersion\Diagnostics"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00431 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00432 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0 00433 896 NtQueryValueKey (40, (40, "Levels", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00434 896 NtClose (40, ... ) == 0x0 00435 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00436 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00437 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00438 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00439 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00440 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00441 896 NtAllocateVirtualMemory (-1, 1331200, 0, 4096, 4096, 4, ... 1331200, 4096, ) == 0x0 00442 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00443 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00444 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00445 896 NtQueryDefaultLocale (1, 1240796, ... ) == 0x0 00446 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... 40, ) }, ... 40, ) == 0x0 00447 896 NtEnumerateKey (40, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (40, 0, Basic, 280, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, 92, ) }, 92, ) == 0x0 00448 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{dda3f824-d8cb-441b-834d-be2efd2c1a33}"}, ... 44, ) }, ... 44, ) == 0x0 00449 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) , Partial, 280, ... TitleIdx=0, Type=2, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=2, Data="%\0H\0K\0E\0Y\0_\0C\0U\0R\0R\0E\0N\0T\0_\0U\0S\0E\0R\0\\0S\0o\0f\0t\0w\0a\0r\0e\0\\0M\0i\0c\0r\0o\0s\0o\0f\0t\0\\0W\0i\0n\0d\0o\0w\0s\0\\0C\0u\0r\0r\0e\0n\0t\0V\0e\0r\0s\0i\0o\0n\0\\0E\0x\0p\0l\0o\0r\0e\0r\0\\0S\0h\0e\0l\0l\0 \0F\0o\0l\0d\0e\0r\0s\0\\0C\0a\0c\0h\0e\0%\0O\0L\0K\0*\0\0\0"}, 202, ) }, 202, ) == 0x0 00450 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00451 896 NtClose (44, ... ) == 0x0 00452 896 NtEnumerateKey (40, 1, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES 00453 896 NtClose (40, ... ) == 0x0 00454 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... 40, ) }, ... 40, ) == 0x0 00455 896 NtEnumerateKey (40, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 0, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, 92, ) }, 92, ) == 0x0 00456 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{349d35ab-37b5-462f-9b89-edd5fbde1328}"}, ... 44, ) }, ... 44, ) == 0x0 00457 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="^\2530O\225zI\211j\0l\341\25@\25"}, 28, ) }, 28, ) == 0x0 00458 896 NtQueryValueKey (44, (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0 00459 896 NtQueryValueKey (44, (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\13\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 00460 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00461 896 NtClose (44, ... ) == 0x0 00462 896 NtEnumerateKey (40, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 1, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, 92, ) }, 92, ) == 0x0 00463 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}"}, ... 44, ) }, ... 44, ) == 0x0 00464 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="g\260\324\2134:?\323\274\351\334dg\4\363\224"}, 28, ) }, 28, ) == 0x0 00465 896 NtQueryValueKey (44, (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0 00466 896 NtQueryValueKey (44, (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\5\2\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 00467 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00468 896 NtClose (44, ... ) == 0x0 00469 896 NtEnumerateKey (40, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 2, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, 92, ) }, 92, ) == 0x0 00470 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}"}, ... 44, ) }, ... 44, ) == 0x0 00471 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="2x\2\334\376\370\310\223\334\212\260\6\335\204}\35"}, 28, ) }, 28, ) == 0x0 00472 896 NtQueryValueKey (44, (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0 00473 896 NtQueryValueKey (44, (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\226\3\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 00474 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00475 896 NtClose (44, ... ) == 0x0 00476 896 NtEnumerateKey (40, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 3, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, 92, ) }, 92, ) == 0x0 00477 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{94e3e076-8f53-42a5-8411-085bcc18a68d}"}, ... 44, ) }, ... 44, ) == 0x0 00478 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="\275\232*\333B\353\330V\16%\16M\370\26/g"}, 28, ) }, 28, ) == 0x0 00479 896 NtQueryValueKey (44, (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0 00480 896 NtQueryValueKey (44, (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="\345\0\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 00481 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00482 896 NtClose (44, ... ) == 0x0 00483 896 NtEnumerateKey (40, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name= (40, 4, Basic, 280, ... {LastWrite={0x38ab3b74,0x1c74d7e}, TitleIdx=0, Name="{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, 92, ) }, 92, ) == 0x0 00484 896 NtOpenKey (0x20019, {24, 40, 0x40, 0, 0, (0x20019, {24, 40, 0x40, 0, 0, "{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}"}, ... 44, ) }, ... 44, ) == 0x0 00485 896 NtQueryValueKey (44, (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) , Partial, 280, ... TitleIdx=0, Type=3, Data= (44, "ItemData", Partial, 280, ... TitleIdx=0, Type=3, Data="8k\10_\204\354\366i\323k\225j"\300\36\200"}, 28, ) \300\36\200"}, 28, ) == 0x0 00486 896 NtQueryValueKey (44, (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "HashAlg", Partial, 280, ... TitleIdx=0, Type=4, Data="\3\200\0\0"}, 16, ) }, 16, ) == 0x0 00487 896 NtQueryValueKey (44, (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) , Partial, 280, ... TitleIdx=0, Type=11, Data= (44, "ItemSize", Partial, 280, ... TitleIdx=0, Type=11, Data="r\1\0\0\0\0\0\0"}, 20, ) }, 20, ) == 0x0 00488 896 NtQueryValueKey (44, (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 280, ... TitleIdx=0, Type=4, Data= (44, "SaferFlags", Partial, 280, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00489 896 NtClose (44, ... ) == 0x0 00490 896 NtEnumerateKey (40, 5, Basic, 280, ... ) == STATUS_NO_MORE_ENTRIES 00491 896 NtClose (40, ... ) == 0x0 00492 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00493 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00494 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00495 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00496 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00497 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00498 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00499 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00500 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00501 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00502 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00503 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00504 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00505 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00506 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00507 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00508 896 NtClose (40, ... ) == 0x0 00509 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00510 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00511 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00512 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00513 896 NtClose (40, ... ) == 0x0 00514 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00515 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00516 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00517 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00518 896 NtClose (40, ... ) == 0x0 00519 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00520 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00521 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00522 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00523 896 NtClose (40, ... ) == 0x0 00524 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00525 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00526 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00527 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00528 896 NtClose (40, ... ) == 0x0 00529 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00530 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00531 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00532 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00533 896 NtClose (40, ... ) == 0x0 00534 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00535 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00536 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00537 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00538 896 NtClose (40, ... ) == 0x0 00539 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00540 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00541 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00542 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00543 896 NtClose (40, ... ) == 0x0 00544 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00545 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00546 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00547 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00548 896 NtClose (40, ... ) == 0x0 00549 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00550 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00551 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00552 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00553 896 NtClose (40, ... ) == 0x0 00554 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00555 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00556 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00557 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00558 896 NtClose (40, ... ) == 0x0 00559 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00560 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00561 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00562 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00563 896 NtClose (40, ... ) == 0x0 00564 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00565 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00566 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00567 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00568 896 NtClose (40, ... ) == 0x0 00569 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00570 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00571 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00572 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00573 896 NtClose (40, ... ) == 0x0 00574 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00575 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00576 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00577 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00578 896 NtClose (40, ... ) == 0x0 00579 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00580 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0 00581 896 NtQueryValueKey (40, (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Full, 524, ... TitleIdx=0, Type=4, Name= (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) , Data= (40, "DefaultLevel", Full, 524, ... TitleIdx=0, Type=4, Name="DefaultLevel", Data="\0\0\4\0"}, 48, ) }, 48, ) == 0x0 00582 896 NtClose (40, ... ) == 0x0 00583 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00584 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 40, ) == 0x0 00585 896 NtQueryInformationToken (40, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00586 896 NtClose (40, ... ) == 0x0 00587 896 NtOpenKey (0x20019, {24, 0, 0x40, 0, 0, (0x20019, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00588 896 NtOpenThreadToken (-2, 0x8, 0, ... ) == STATUS_NO_TOKEN 00589 896 NtOpenProcessToken (-1, 0xa, ... 40, ) == 0x0 00590 896 NtDuplicateToken (40, 0xc, {24, 0, 0x0, 0, 1241228, 0x0}, 0, 2, ... 44, ) == 0x0 00591 896 NtClose (40, ... ) == 0x0 00592 896 NtAccessCheck (1323816, 44, 0x1, 1241304, 1241356, 56, 1241336, ... (0x1), ) == 0x0 00593 896 NtClose (44, ... ) == 0x0 00594 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 44, ) }, ... 44, ) == 0x0 00595 896 NtQueryValueKey (44, (44, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 80, ... TitleIdx=0, Type=4, Data= (44, "PolicyScope", Partial, 80, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00596 896 NtClose (44, ... ) == 0x0 00597 896 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 44, ) }, ... 44, ) == 0x0 00598 896 NtQuerySymbolicLinkObject (44, ... (44, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0 00599 896 NtClose (44, ... ) == 0x0 00600 896 NtQueryVolumeInformationFile (16, 1239060, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00601 896 NtQueryInformationFile (16, 1239176, 528, Name, ... {status=0x0, info=86}, ) == 0x0 00602 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00603 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00604 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL3.tmp"}, 1238348, ... ) }, 1238348, ... ) == 0x0 00605 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0 00606 896 NtQueryDirectoryFile (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0 00607 896 NtClose (44, ... ) == 0x0 00608 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0 00609 896 NtQueryDirectoryFile (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00610 896 NtClose (44, ... ) == 0x0 00611 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0 00612 896 NtQueryDirectoryFile (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00613 896 NtClose (44, ... ) == 0x0 00614 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0 00615 896 NtQueryDirectoryFile (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0 00616 896 NtClose (44, ... ) == 0x0 00617 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 44, {status=0x0, info=1}, ) }, 3, 16417, ... 44, {status=0x0, info=1}, ) == 0x0 00618 896 NtQueryDirectoryFile (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, (44, 0, 0, 0, 1237776, 616, BothDirectory, 1, "DIL3.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00619 896 NtClose (44, ... ) == 0x0 00620 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00621 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00622 896 NtQueryInformationFile (16, 1241216, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00623 896 NtCreateSection (0xf0005, 0x0, {8790, 0}, 2, 134217728, 16, ... 44, ) == 0x0 00624 896 NtMapViewOfSection (44, -1, (0x0), 0, 0, {0, 0}, 8790, 1, 0, 2, ... (0x320000), {0, 0}, 12288, ) == 0x0 00625 896 NtClose (44, ... ) == 0x0 00626 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00627 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 44, ) == 0x0 00628 896 NtQueryInformationToken (44, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00629 896 NtClose (44, ... ) == 0x0 00630 896 NtOpenKey (0x20019, {24, 0, 0x640, 0, 0, (0x20019, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 44, ) }, ... 44, ) == 0x0 00631 896 NtOpenKey (0x20019, {24, 44, 0x40, 0, 0, (0x20019, {24, 44, 0x40, 0, 0, "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"}, ... 40, ) }, ... 40, ) == 0x0 00632 896 NtClose (44, ... ) == 0x0 00633 896 NtQueryValueKey (40, (40, "Cache", Partial, 144, ... ) , Partial, 144, ... ) == STATUS_BUFFER_OVERFLOW 00634 896 NtQueryValueKey (40, (40, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) , Partial, 174, ... TitleIdx=0, Type=1, Data= (40, "Cache", Partial, 174, ... TitleIdx=0, Type=1, Data="C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0L\0o\0c\0a\0l\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0T\0e\0m\0p\0o\0r\0a\0r\0y\0 \0I\0n\0t\0e\0r\0n\0e\0t\0 \0F\0i\0l\0e\0s\0\0\0"}, 174, ) }, 174, ) == 0x0 00635 896 NtClose (40, ... ) == 0x0 00636 896 NtUnmapViewOfSection (-1, 0x320000, ... ) == 0x0 00637 896 NtAllocateVirtualMemory (-1, 0, 0, 4096, 8192, 4, ... 3276800, 4096, ) == 0x0 00638 896 NtAllocateVirtualMemory (-1, 3276800, 0, 4096, 4096, 4, ... 3276800, 4096, ) == 0x0 00639 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 40, ) }, ... 40, ) == 0x0 00640 896 NtQueryValueKey (40, (40, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00641 896 NtClose (40, ... ) == 0x0 00642 896 NtOpenKey (0x3, {24, 0, 0x40, 0, 0, (0x3, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00643 896 NtQueryInformationToken (32, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0 00644 896 NtQueryInformationToken (32, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0 00645 896 NtClose (32, ... ) == 0x0 00646 896 NtQuerySection (28, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00647 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DIL3.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00648 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager"}, ... 32, ) }, ... 32, ) == 0x0 00649 896 NtQueryValueKey (32, (32, "SafeDllSearchMode", Partial, 16, ... ) , Partial, 16, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00650 896 NtClose (32, ... ) == 0x0 00651 896 NtAllocateVirtualMemory (-1, 1335296, 0, 4096, 4096, 4, ... 1335296, 4096, ) == 0x0 00652 896 NtQuerySystemInformation (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0 00653 896 NtCreateProcessEx (1243140, 2035711, 0, -1, 0, 28, 0, 0, 0, ... ) == 0x0 00654 896 NtQueryInformationProcess (32, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdd000,AffinityMask=0x1,BasePriority=8,Pid=2016,ParentPid=1252,}, 0x0, ) == 0x0 00655 896 NtReadVirtualMemory (32, 0x7ffdd008, 4, ... (32, 0x7ffdd008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0 00656 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL3.tmp.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00657 896 NtAllocateVirtualMemory (-1, 1339392, 0, 8192, 4096, 4, ... 1339392, 8192, ) == 0x0 00658 896 NtReadVirtualMemory (32, 0x400000, 4096, ... (32, 0x400000, 4096, ... "MZ\220\0\3\0\0\0\4\0\0\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\330\0\0\0\16\37\272\16\0\264\11\315!\270\1L\315!This program cannot be run in DOS mode.\15\15\12$\0\0\0\0\0\0\0\345[8\253\241:V\370\241:V\370\241:V\370\303%E\370\251:V\370"&X\370\243:V\370I%\\370\252:V\370I%R\370\244:V\370\241:W\370\323:V\370I%]\370\251:V\370\31
370\243:V\370I%\\370\252:V\370I%R\370\244:V\370\241:W\370\323:V\370I%]\370\251:V\370\31
370\240:V\370Rich\241:V\370\0\0\0\0\0\0\0\0PE\0\0L\1\3\0p\7(H\0\0\0\0\0\0\0\0\340\0\17\1\13\1\6\0\0 \0\0\0\20\0\0\0\320\0\0-\372\0\0\0\340\0\0\0\0\1\0\0\0@\0\0\20\0\0\0\2\0\0\4\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\20\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0\20\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0DkKl\0\0\0\0\0\320\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) == 0x0 00659 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00660 896 NtQueryInformationProcess (32, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffdd000,AffinityMask=0x1,BasePriority=8,Pid=2016,ParentPid=1252,}, 0x0, ) == 0x0 00661 896 NtAllocateVirtualMemory (-1, 0, 0, 2476, 4096, 4, ... 3342336, 4096, ) == 0x0 00662 896 NtAllocateVirtualMemory (32, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0 00663 896 NtWriteVirtualMemory (32, 0x10000, (32, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0 00664 896 NtAllocateVirtualMemory (32, 0, 0, 2476, 4096, 4, ... 131072, 4096, ) == 0x0 00665 896 NtWriteVirtualMemory (32, 0x20000, (32, 0x20000, "\0\20\0\0\254\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\22\4\24\4\230\4\0\0V\0X\0\254\10\0\0Z\0\\0\4\11\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`\11\0\0\36\0 \0\210\11\0\0\0\0\2\0\250\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2476, ... 0x0, ) , 2476, ... 0x0, ) == 0x0 00666 896 NtWriteVirtualMemory (32, 0x7ffdd010, (32, 0x7ffdd010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 00667 896 NtWriteVirtualMemory (32, 0x7ffdd1e8, (32, 0x7ffdd1e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 00668 896 NtFreeVirtualMemory (-1, (0x330000), 0, 32768, ... (0x330000), 4096, ) == 0x0 00669 896 NtAllocateVirtualMemory (32, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0 00670 896 NtAllocateVirtualMemory (32, 1236992, 0, 8192, 4096, 4, ... 1236992, 8192, ) == 0x0 00671 896 NtProtectVirtualMemory (32, (0x12e000), 4096, 260, ... (0x12e000), 4096, 4, ) == 0x0 00672 896 NtCreateThread (0x1f03ff, 0x0, 32, 1243148, 1242812, 1, ... 40, {2016, 596}, ) == 0x0 00673 896 NtRequestWaitReplyPort (24, {168, 196, new_msg, 0, 1124073472, 0, 0, 1318630} (24, {168, 196, new_msg, 0, 1124073472, 0, 0, 1318630} "\0\0\0\0\0\0\1\0\333\206\0\0p\372\22\0#\0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\375\177\0\0\0\0\0\0\0\0d\377\22\0" ... {168, 196, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0\0\0\1\0\0\0\0\0p\372\22\0 \0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\375\177\0\0\0\0\0\0\0\0d\377\22\0" ) ... {168, 196, reply, 0, 1252, 896, 81835, 0} (24, {168, 196, new_msg, 0, 1124073472, 0, 0, 1318630} "\0\0\0\0\0\0\1\0\333\206\0\0p\372\22\0#\0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\375\177\0\0\0\0\0\0\0\0d\377\22\0" ... {168, 196, reply, 0, 1252, 896, 81835, 0} "\0\0\0\0\0\0\1\0\0\0\0\0p\372\22\0 \0\0\0(\0\0\0\340\7\0\0T\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\320\375\177\0\0\0\0\0\0\0\0d\377\22\0" ) ) == 0x0 00674 896 NtResumeThread (40, ... 1, ) == 0x0 00675 896 NtClose (16, ... ) == 0x0 00676 896 NtClose (28, ... ) == 0x0 00677 896 NtQueryDefaultLocale (1, 1244956, ... ) == 0x0 00678 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp"}, 1244704, ... ) }, 1244704, ... ) == 0x0 00679 896 NtRequestWaitReplyPort (24, {20, 48, new_msg, 0, 1245056, 2089878865, 1315608, 2089878893} (24, {20, 48, new_msg, 0, 1245056, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0\333\206\0\0\2\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\2\0\1\0\4\0\0\0\333\206\0\0\4\0\0\0" ) ... {20, 48, reply, 0, 1252, 896, 81840, 0} (24, {20, 48, new_msg, 0, 1245056, 2089878865, 1315608, 2089878893} "\0\0\0\0\2\0\1\0\0\0\0\0\333\206\0\0\2\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81840, 0} "\0\0\0\0\2\0\1\0\4\0\0\0\333\206\0\0\4\0\0\0" ) ) == 0x0 00680 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 1244712, (0x80100080, {24, 0, 0x40, 0, 1244712, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp"}, 0x0, 128, 0, 2, 96, 0, 0, ... }, 0x0, 128, 0, 2, 96, 0, 0, ... 00681 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0 00682 896 NtClose (-2147481368, ... ) == 0x0 00683 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0 00684 896 NtClose (-2147481368, ... ) == 0x0 00685 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0 00686 896 NtClose (-2147481368, ... ) == 0x0 00680 896 NtCreateFile ... 28, {status=0x0, info=2}, ) == 0x0 00687 896 NtClose (28, ... ) == 0x0 00688 896 NtCreateFile (0x40100080, {24, 0, 0x40, 0, 1245000, (0x40100080, {24, 0, 0x40, 0, 1245000, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp"}, 0x0, 0, 0, 5, 96, 0, 0, ... }, 0x0, 0, 0, 5, 96, 0, 0, ... 00689 896 NtClose (-2147481368, ... ) == 0x0 00690 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "DOCUME~1", 1, ... {status=0x0, info=56}, ) , 1, ... {status=0x0, info=56}, ) == 0x0 00691 896 NtClose (-2147481368, ... ) == 0x0 00692 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "MARTIM~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0 00693 896 NtClose (-2147481368, ... ) == 0x0 00694 896 NtQueryDirectoryFile (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, (-2147481368, 0, 0, 0, -518782976, 4096, Names, 1, "LOCALS~1", 1, ... {status=0x0, info=40}, ) , 1, ... {status=0x0, info=40}, ) == 0x0 00695 896 NtClose (-2147481368, ... ) == 0x0 00688 896 NtCreateFile ... 28, {status=0x0, info=3}, ) == 0x0 00696 896 NtWriteFile (28, 0, 0, 0, (28, 0, 0, 0, "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\31^B*\0\0\0\0\0\0\0\0\340\0\217\201\13\1\2\31\0`\0\0\0\20\0\0\0\300\0\0\0(\1\0\0\320\0\0\00\1\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\3501\1\0\\1\0\0\00\1\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220)\1\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 25088, 0x0, 0, ... , 25088, 0x0, 0, ... 00697 896 NtContinue (-142418476, 0, ... 00696 896 NtWriteFile ... {status=0x0, info=25088}, ) == 0x0 00698 896 NtClose (28, ... ) == 0x0 00699 896 NtQueryInformationJobObject (0, BasicUIRestrictions, 4, ... ) == STATUS_ACCESS_DENIED 00700 896 NtOpenFile (0x1000a1, {24, 0, 0x40, 0, 0, (0x1000a1, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp"}, 5, 96, ... 28, {status=0x0, info=1}, ) }, 5, 96, ... 28, {status=0x0, info=1}, ) == 0x0 00701 896 NtCreateSection (0xf001f, 0x0, 0x0, 16, 16777216, 28, ... 16, ) == 0x0 00702 896 NtQueryVolumeInformationFile (28, 1241368, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00703 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\sysmain.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) }, 0x0, 128, 1, 1, 96, 0, 0, ... 44, {status=0x0, info=1}, ) == 0x0 00704 896 NtQueryInformationFile (44, 1239624, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00705 896 NtCreateSection (0x4, 0x0, 0x0, 2, 134217728, 44, ... 48, ) == 0x0 00706 896 NtMapViewOfSection (48, -1, (0x0), 0, 0, 0x0, 0, 2, 0, 2, ... (0x410000), 0x0, 1191936, ) == 0x0 00707 896 NtQueryInformationFile (44, 1239724, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00708 896 NtCreateFile (0x80100080, {24, 0, 0x40, 0, 0, (0x80100080, {24, 0, 0x40, 0, 0, "\SystemRoot\AppPatch\systest.sdb"}, 0x0, 128, 1, 1, 96, 0, 0, ... ) }, 0x0, 128, 1, 1, 96, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00709 896 NtOpenKey (0x101, {24, 0, 0x40, 0, 0, (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\System\WPA\TabletPC"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00710 896 NtOpenKey (0x101, {24, 0, 0x40, 0, 0, (0x101, {24, 0, 0x40, 0, 0, "\Registry\Machine\SYSTEM\WPA\MediaCenter"}, ... 52, ) }, ... 52, ) == 0x0 00711 896 NtQueryValueKey (52, (52, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) , Partial, 256, ... TitleIdx=0, Type=4, Data= (52, "Installed", Partial, 256, ... TitleIdx=0, Type=4, Data="\0\0\0\0"}, 16, ) }, 16, ) == 0x0 00712 896 NtClose (52, ... ) == 0x0 00713 896 NtCreateFile (0x120116, {24, 0, 0x40, 0, 0, (0x120116, {24, 0, 0x40, 0, 0, "\Device\NamedPipe\ShimViewer"}, 0x0, 128, 0, 1, 0, 0, 0, ... ) }, 0x0, 128, 0, 1, 0, 0, 0, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00714 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00715 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237320, 616, BothDirectory, 1, (52, 0, 0, 0, 1237320, 616, BothDirectory, 1, "DIL4.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00716 896 NtClose (52, ... ) == 0x0 00717 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00718 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00719 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp"}, 1237696, ... ) }, 1237696, ... ) == 0x0 00720 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00721 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0 00722 896 NtClose (52, ... ) == 0x0 00723 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00724 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00725 896 NtClose (52, ... ) == 0x0 00726 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00727 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00728 896 NtClose (52, ... ) == 0x0 00729 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00730 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0 00731 896 NtClose (52, ... ) == 0x0 00732 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00733 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, (52, 0, 0, 0, 1237124, 616, BothDirectory, 1, "DIL4.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00734 896 NtClose (52, ... ) == 0x0 00735 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00736 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00737 896 NtQueryInformationProcess (-1, DeviceMap, 36, ... {process info, class 23, size 36}, 0x0, ) == 0x0 00738 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00739 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00740 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 52, ) == 0x0 00741 896 NtQueryInformationToken (52, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00742 896 NtClose (52, ... ) == 0x0 00743 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00744 896 NtOpenKey (0x80000100, {24, 0, 0x40, 0, 0, (0x80000100, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\DIL4.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00745 896 NtUnmapViewOfSection (-1, 0x410000, ... ) == 0x0 00746 896 NtClose (48, ... ) == 0x0 00747 896 NtClose (44, ... ) == 0x0 00748 896 NtOpenThreadToken (-2, 0x2000000, 1, ... ) == STATUS_NO_TOKEN 00749 896 NtOpenProcessToken (-1, 0xa, ... 44, ) == 0x0 00750 896 NtOpenKey (0x2000000, {24, 36, 0x40, 0, 0, (0x2000000, {24, 36, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 48, ) }, ... 48, ) == 0x0 00751 896 NtQueryKey (48, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name= (48, Basic, 520, ... {LastWrite={0x3a5edea,0x1c74da9}, TitleIdx=0, Name="CodeIdentifierso"}, 46, ) }, 46, ) == 0x0 00752 896 NtClose (48, ... ) == 0x0 00753 896 NtOpenThreadTokenEx (-2, 0x20008, 1, 512, ... ) == STATUS_NO_TOKEN 00754 896 NtOpenProcessTokenEx (-1, 0x20008, 512, ... 48, ) == 0x0 00755 896 NtQueryInformationToken (48, User, 80, ... {token info, class 1, size 36}, 36, ) == 0x0 00756 896 NtClose (48, ... ) == 0x0 00757 896 NtOpenKey (0x2000000, {24, 0, 0x640, 0, 0, (0x2000000, {24, 0, 0x640, 0, 0, "\REGISTRY\USER\S-1-5-21-1292428093-1383384898-725345543-1003"}, ... 48, ) }, ... 48, ) == 0x0 00758 896 NtSetInformationObject (48, Handle, {Inherit=0,ProtectFromClose=1,}, 1179904, ... ) == 0x0 00759 896 NtOpenKey (0x2000000, {24, 48, 0x40, 0, 0, (0x2000000, {24, 48, 0x40, 0, 0, "Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00760 896 NtOpenSymbolicLinkObject (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\??\C:"}, ... 52, ) }, ... 52, ) == 0x0 00761 896 NtQuerySymbolicLinkObject (52, ... (52, ... "\Device\HarddiskVolume1", 48, ) , 48, ) == 0x0 00762 896 NtClose (52, ... ) == 0x0 00763 896 NtQueryVolumeInformationFile (28, 1239060, 8, Device, ... {status=0x0, info=8}, ) == 0x0 00764 896 NtQueryInformationFile (28, 1239176, 528, Name, ... {status=0x0, info=86}, ) == 0x0 00765 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00766 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00767 896 NtQueryAttributesFile ({24, 0, 0x40, 0, 0, ({24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp"}, 1238348, ... ) }, 1238348, ... ) == 0x0 00768 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00769 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, "DOCUME~1", 0, ... {status=0x0, info=138}, ) , 0, ... {status=0x0, info=138}, ) == 0x0 00770 896 NtClose (52, ... ) == 0x0 00771 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00772 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, "MARTIM~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00773 896 NtClose (52, ... ) == 0x0 00774 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00775 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, "LOCALS~1", 0, ... {status=0x0, info=122}, ) , 0, ... {status=0x0, info=122}, ) == 0x0 00776 896 NtClose (52, ... ) == 0x0 00777 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00778 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, "Temp", 0, ... {status=0x0, info=102}, ) , 0, ... {status=0x0, info=102}, ) == 0x0 00779 896 NtClose (52, ... ) == 0x0 00780 896 NtOpenFile (0x100001, {24, 0, 0x40, 0, 0, (0x100001, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\"}, 3, 16417, ... 52, {status=0x0, info=1}, ) }, 3, 16417, ... 52, {status=0x0, info=1}, ) == 0x0 00781 896 NtQueryDirectoryFile (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, (52, 0, 0, 0, 1237776, 616, BothDirectory, 1, "DIL4.tmp", 0, ... {status=0x0, info=110}, ) , 0, ... {status=0x0, info=110}, ) == 0x0 00782 896 NtClose (52, ... ) == 0x0 00783 896 NtQueryInformationProcess (-1, DefaultHardErrorMode, 4, ... {process info, class 12, size 4}, 0x0, ) == 0x0 00784 896 NtSetInformationProcess (-1, DefaultHardErrorMode, {process info, class 12, size 4}, 4, ... ) == 0x0 00785 896 NtQueryInformationFile (28, 1241216, 24, Standard, ... {status=0x0, info=24}, ) == 0x0 00786 896 NtCreateSection (0xf0005, 0x0, {25088, 0}, 2, 134217728, 28, ... 52, ) == 0x0 00787 896 NtMapViewOfSection (52, -1, (0x0), 0, 0, {0, 0}, 25088, 1, 0, 2, ... (0x330000), {0, 0}, 28672, ) == 0x0 00788 896 NtClose (52, ... ) == 0x0 00789 896 NtUnmapViewOfSection (-1, 0x330000, ... ) == 0x0 00790 896 NtOpenKey (0x1, {24, 0, 0x40, 0, 0, (0x1, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"}, ... 52, ) }, ... 52, ) == 0x0 00791 896 NtQueryValueKey (52, (52, "LogFileName", Partial, 536, ... ) , Partial, 536, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00792 896 NtClose (52, ... ) == 0x0 00793 896 NtQueryInformationToken (44, User, 128, ... {token info, class 1, size 36}, 36, ) == 0x0 00794 896 NtQueryInformationToken (44, 15, 4, ... {token info, class 15, size 4}, 4, ) == 0x0 00795 896 NtClose (44, ... ) == 0x0 00796 896 NtQuerySection (16, Image, 48, ... {section info, class 1, size 48}, 0x0, ) == 0x0 00797 896 NtOpenKey (0x80000000, {24, 0, 0x40, 0, 0, (0x80000000, {24, 0, 0x40, 0, 0, "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DIL4.tmp"}, ... ) }, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00798 896 NtQuerySystemInformation (71, 4, ... {system info, class 71, size 4}, 0x0, ) == 0x0 00799 896 NtCreateProcessEx (1243140, 2035711, 0, -1, 0, 16, 0, 0, 0, ... ) == 0x0 00800 896 NtQueryInformationProcess (44, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=376,ParentPid=1252,}, 0x0, ) == 0x0 00801 896 NtReadVirtualMemory (44, 0x7ffd8008, 4, ... (44, 0x7ffd8008, 4, ... "\0\0@\0", 0x0, ) , 0x0, ) == 0x0 00802 896 NtOpenFile (0x1200a9, {24, 0, 0x40, 0, 0, (0x1200a9, {24, 0, 0x40, 0, 0, "\??\C:\DOCUME~1\MARTIM~1\LOCALS~1\Temp\DIL4.tmp.Manifest"}, 1, 96, ... ) }, 1, 96, ... ) == STATUS_OBJECT_NAME_NOT_FOUND 00803 896 NtReadVirtualMemory (44, 0x400000, 4096, ... (44, 0x400000, 4096, ... "MZP\0\2\0\0\0\4\0\17\0\377\377\0\0\270\0\0\0\0\0\0\0@\0\32\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\0\272\20\0\16\37\264\11\315!\270\1L\315!\220\220This program must be run under Win32\15\12$7\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0PE\0\0L\1\3\0\31^B*\0\0\0\0\0\0\0\0\340\0\217\201\13\1\2\31\0`\0\0\0\20\0\0\0\300\0\0\0(\1\0\0\320\0\0\00\1\0\0\0@\0\0\20\0\0\0\2\0\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0@\1\0\0\20\0\0\0\0\0\0\2\0\0\0\0\0\20\0\0@\0\0\0\0\20\0\0\20\0\0\0\0\0\0\20\0\0\0\0\0\0\0\0\0\0\0\3501\1\0\\1\0\0\00\1\0\350\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\220)\1\0\30\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 4096, ) , 4096, ) == 0x0 00804 896 NtReadVirtualMemory (44, 0x413000, 256, ... (44, 0x413000, 256, ... "\0\0\0\0\217\244\2528\0\0\0\0\0\0\2\0\6\0\0\0 \0\0\200\12\0\0\0P\1\0\200\0\0\0\0\217\244\2528\0\0\0\0\0\0\6\0\373\17\0\0`\0\0\200\374\17\0\0\210\0\0\200\375\17\0\0\260\0\0\200\376\17\0\0\330\0\0\200\377\17\0\0\0\1\0\200\0\20\0\0(\1\0\200\0\0\0\0\217\244\2528\0\0\0\0\0\0\1\0\0\0\0\0x\0\0\0\350\1\1\04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\217\244\2528\0\0\0\0\0\0\1\0\0\0\0\0\240\0\0\0\34\2\1\0\354\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\217\244\2528\0\0\0\0\0\0\1\0\0\0\0\0\310\0\0\0\10\3\1\0\320\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\217\244\2528\0\0\0\0\0\0\1\0\0\0\0\0\360\0\0\0\330\3\1\0|\2\0\0\0\0\0\0\0\0\0\0", 256, ) , 256, ) == 0x0 00805 896 NtQueryDebugFilterState (53, 2, ... ) == 0x0 00806 896 NtQueryInformationProcess (44, Basic, 24, ... {ExitStatus=0x103,PebBaseAddress=0x7ffd8000,AffinityMask=0x1,BasePriority=8,Pid=376,ParentPid=1252,}, 0x0, ) == 0x0 00807 896 NtAllocateVirtualMemory (-1, 0, 0, 2476, 4096, 4, ... 3342336, 4096, ) == 0x0 00808 896 NtAllocateVirtualMemory (44, 0, 0, 6432, 4096, 4, ... 65536, 8192, ) == 0x0 00809 896 NtWriteVirtualMemory (44, 0x10000, (44, 0x10000, "=\0A\0:\0=\0A\0:\0\\0\0\0=\0C\0:\0=\0C\0:\0\\0s\0c\0r\0i\0p\0t\0s\0\0\0=\0U\0:\0=\0U\0:\0\\0\0\0A\0L\0L\0U\0S\0E\0R\0S\0P\0R\0O\0F\0I\0L\0E\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0A\0l\0l\0 \0U\0s\0e\0r\0s\0\0\0A\0P\0P\0D\0A\0T\0A\0=\0C\0:\0\\0D\0o\0c\0u\0m\0e\0n\0t\0s\0 \0a\0n\0d\0 \0S\0e\0t\0t\0i\0n\0g\0s\0\\0M\0a\0r\0t\0i\0m\0 \0C\0a\0r\0b\0o\0n\0e\0\\0A\0p\0p\0l\0i\0c\0a\0t\0i\0o\0n\0 \0D\0a\0t\0a\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0I\0N\0C\0_\0R\0O\0O\0T\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\09\00\0~\01\0.\01\08\03\0\\0i\0n\0c\0\0\0A\0T\0L\0_\0L\0I\0B\0_\0P\0A\0T\0H\0=\0C\0:\0\\0W\0I\0N\0D\0D\0K\0\\03\07\0", 6432, ... 0x0, ) , 6432, ... 0x0, ) == 0x0 00810 896 NtAllocateVirtualMemory (44, 0, 0, 2476, 4096, 4, ... 131072, 4096, ) == 0x0 00811 896 NtWriteVirtualMemory (44, 0x20000, (44, 0x20000, "\0\20\0\0\254\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\13\0\0\0\26\0\10\2\220\2\0\0\0\0\0\0\22\4\24\4\230\4\0\0V\0X\0\254\10\0\0Z\0\\0\4\11\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$\0&\0`\11\0\0\36\0 \0\210\11\0\0\0\0\2\0\250\11\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 2476, ... 0x0, ) , 2476, ... 0x0, ) == 0x0 00812 896 NtWriteVirtualMemory (44, 0x7ffd8010, (44, 0x7ffd8010, "\0\0\2\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 00813 896 NtWriteVirtualMemory (44, 0x7ffd81e8, (44, 0x7ffd81e8, "\0\0\0\0", 4, ... 0x0, ) , 4, ... 0x0, ) == 0x0 00814 896 NtFreeVirtualMemory (-1, (0x330000), 0, 32768, ... (0x330000), 4096, ) == 0x0 00815 896 NtAllocateVirtualMemory (44, 0, 0, 1048576, 8192, 4, ... 196608, 1048576, ) == 0x0 00816 896 NtAllocateVirtualMemory (44, 1224704, 0, 20480, 4096, 4, ... 1224704, 20480, ) == 0x0 00817 896 NtProtectVirtualMemory (44, (0x12b000), 4096, 260, ... (0x12b000), 4096, 4, ) == 0x0 00818 896 NtCreateThread (0x1f03ff, 0x0, 44, 1243148, 1242812, 1, ... 52, {376, 420}, ) == 0x0 00819 896 NtRequestWaitReplyPort (24, {168, 196, new_msg, 0, 1124074724, 0, 0, 1318630} (24, {168, 196, new_msg, 0, 1124074724, 0, 0, 1318630} "\0\0\0\0\0\0\1\0\333\206\0\0p\372\22\0/\0\0\04\0\0\0x\1\0\0\244\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\0\0d\377\22\0" ... {168, 196, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\0\0\1\0\0\0\0\0p\372\22\0,\0\0\04\0\0\0x\1\0\0\244\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\0\0d\377\22\0" ) ... {168, 196, reply, 0, 1252, 896, 81847, 0} (24, {168, 196, new_msg, 0, 1124074724, 0, 0, 1318630} "\0\0\0\0\0\0\1\0\333\206\0\0p\372\22\0/\0\0\04\0\0\0x\1\0\0\244\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\0\0d\377\22\0" ... {168, 196, reply, 0, 1252, 896, 81847, 0} "\0\0\0\0\0\0\1\0\0\0\0\0p\372\22\0,\0\0\04\0\0\0x\1\0\0\244\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\230\373\22\0p\11\221|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\200\375\177\0\0\0\0\0\0\0\0d\377\22\0" ) ) == 0x0 00820 896 NtResumeThread (52, ... 1, ) == 0x0 00821 896 NtClose (28, ... ) == 0x0 00822 896 NtClose (16, ... ) == 0x0 00823 896 NtTerminateProcess (0, 0, ... ) == 0x0 00824 896 NtFreeVirtualMemory (-1, (0x320000), 4096, 32768, ... (0x320000), 4096, ) == 0x0 00825 896 NtRequestWaitReplyPort (24, {20, 48, new_msg, 0, 4210736, 3, 0, 1245056} (24, {20, 48, new_msg, 0, 4210736, 3, 0, 1245056} "\0\0\0\0\3\0\1\0\0\0\0\0\0@@\0\0\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0@@\0\0\0\0\0" ) ... {20, 48, reply, 0, 1252, 896, 81852, 0} (24, {20, 48, new_msg, 0, 4210736, 3, 0, 1245056} "\0\0\0\0\3\0\1\0\0\0\0\0\0@@\0\0\0\0\0" ... {20, 48, reply, 0, 1252, 896, 81852, 0} "\0\0\0\0\3\0\1\0\0\0\0\0\0@@\0\0\0\0\0" ) ) == 0x0 00826 896 NtTerminateProcess (-1, 0, ...